SEMINAR INSTITUTE
Certification Training
“Cybersecurity: Critical Importance of a Strong Security Culture” Training Material
October 19-21, 2022
Southpoint Resort Casino & Spa Las Vegas, Nevada
2022 Cybersecurity: Critical Importance of a Strong Security Culture
MEET THE SPEAKERS
2
3
4
5
6
7
8
9
10
11
Cybersecurity: Critical Importance of a Strong Security Culture October 19 – 21, 2022 South Point Hotel & Casino, Las Vegas, Nevada
AGENDA (Subject to Change)
Wednesday, October 19, 2022
8:00 am – 9:00 am
Breakfast
Welcome/Course Introductions
9:00 am – 9:30 am
Threat Landscape- Overview 2021 to 2022 Trends and Forecast to 2023 Sequoyah Simermeyer, Chairman, National Indian Gaming Commission
9:30 am – 10:30 am
10:30 am – 10:45 am
BREAK
Cybersecurity is a Board Level Leadership Imperative for Building the Security Culture Renita DiStefano, Second Derivative
10:45 am – 12:15 pm
12:15 pm – 1:15 pm
BREAK
Cyber Insurance Landscape - What are the Changes Delane Big Crow, Safety Manager, AMERIND
1:15 pm – 2:00 pm
What are the Crown Jewels that you are Protecting? Data and Data Sovereignty within Tribes Calandra McCool, Big Fire Law & Policy Group
2:00 pm- 2:45 pm
2:45 pm – 3:00 pm
BREAK
Building the Human Firewall Tanja Jacobsen, Director of Security Operations, Cino Security Solutions LLC
3:00 pm – 4:30 pm
Thursday, October 20, 2022
8:00 am – 9:00 am
Breakfast
Mapping the MICS to the NIST Framework Building a Strong Security Foundation Renita DiStefano, President and CEO, Second Derivative LLC
9:00 am – 10:30 am
10:30 am – 10:45 am
BREAK
Essential Elements of a Cybersecurity Compliance Program Jeremy Rasmussen, Chief Technology Officer, Abacode, Inc.
10:45 am – 12:15 pm
12:15 pm – 1:15 pm
BREAK
What is Security as a Service Amit Sharma, Chief Executive Officer, Big Cyber LLC, a BMM Innovation Group Company
1:15 pm – 2:45 pm
2:45 pm – 3:00 pm
BREAK
Digital Payment Security - What You Need to Know Tiger Taylor, Account Executive, Bulletproof a GLI Company Melissa Aarskaug, Vice President of Business Development, Bulletproof a GLI Company
3:00 pm – 4:30 pm
Friday, October 21, 2022
8:00am – 9:00am
Breakfast
Tabletop of an Incident Tanja Jacobsen, Director of Security Operations, Cino Security Solutions LLC Rebecca Fisher, Cyber Security Risk Adviser, Cino Security Solutions LLC
9:00am – 10:30am
10:30am – 10:45am
BREAK
Are you Prepared to Get Hacked? The Role of Incident Response plans in your Overall Business Continuity Planning Tanja Jacobsen, Director of Security Operations, Cino Security Solutions LLC Resources, Takeaways, Recap of Events, and next steps for your organization Rebecca Fisher, Cyber Security Risk Adviser, Cino Security Solutions LLC
10:45 am – 11:45 pm
11:45 am – 12:15 pm
2
NIGC Agency Update On Preparedness And Cyber Indian Gaming Association Cyber Training
National Indian Gaming Commission
E. Sequoyah Simermeyer Commission Chair
Las Vegas, NV October 2022
The National Indian Gaming Commission’s Four Agency-Wide Focus Areas
Industry Integrity Protecting the valuable tool of Indian gaming that in many communities creates jobs, is the lifeblood for tribal programs, and creates opportunities for tribes to explore and strengthen relationships with neighbors. practices and support efficient and effective decision-making to protect tribal assets. Preparedness Promoting tribes’ capacity to plan for risks to tribal gaming assets including natural disaster threats, the need to modernize and enhance regulatory and gaming operation workforces, or public health and safety emergencies. Outreach Cultivating opportunities for outreach to ensure well-informed Indian gaming policy development through diverse relationships, accessible resources, and government-to- government consultation. Agency Accountability Meeting the public’s expectation for administrative processes that uphold good governance
Preparedness
Integrity
Outreach
Accountability
Factors Shaping the NIGC Perspective on Preparedness in the Cyber Security Area
Increasing Sophistication
NIGC’s Reinvestment
Federal Priority
Industry Innovation
Common Goals Among NIGC Cyber Initiatives
Protect gaming’s reputation as a well- regulated industry.
Protect tribal law makers’ ability to set policy goals.
NIGC Cyber Security Awareness In Ocotober www.NIGC.gov
Be Cyber Smart
Have A Plan
Protect Assets
Understand The Goals
The NIGC Year-Long Campaign Promotes #NIGC3For35
Strategic Recruitment
Knowledge Retention
Skills Planning
“Stronger Together”
The NIGC Cyber Security Symposium www.NIGC.gov
Communication Tools
Case Study
Virtual Format
Broad Community
The NIGC Cyber Resource Page Updates www.NIGC.gov
ITVA
Federal Resources
Technical Assistance
NIGC Initiatives
Thank You For Supporting And Following The NIGC’s Outreach And Resource
www.NIGC.gov
Cybersecurity is a Board Level Leadership Imperative for Building the Security Culture
Indian Gaming Association Cybersecurity Training Wednesday, October 19, 2022 10:45 am – 12:15 pm
Welcome
Renita DiStefano - MBA, CISSP, CISM, CRISC, CISA, CSOX, CGEIT
President & CEO – Second Derivative
Cybersecurity is a Top Priority
• The data tells us it’s important • The headlines tell us it’s important • Our colleagues are telling us it’s important • What about YOUR organization?
Cybersecurity is a Top Priority
• Look at the Agendas for top Executive Leadership and Board of Directors meetings • Cyber risk is business risk • If they’re NOT talking about it, why?
• It’s too confusing • It’s too technical
Lorem ipsum dolor sit amet, consectetur adipiscingelit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquipex ea commodoconsequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nullapariatur. Excepteur sintoccaecatcupidatat non proident, sunt in culpa qui officiadeserunt mollit anim id est laborum.
We have to find a way to communicate cyber risk to the Board.
Role of the Board • “to oversee management and to advise management” • “… an overarching and strategic vantage point to ensure the long-term prosperity and survivability of the enterprise.” • “… a legal responsibility to provide effective governance oversight, to ensure that the enterprise is well managed and to provide reasonable protections to its customers, employees, shareholders and business partners (duty of care)”
How that manifests
• Management (C-Level) • Approve Strategy • Approve Budgets • Capital • Operating (FTE’s) • Manage Risk • Competition • Market • Legal • Set the Risk Appetite
The National Association of Corporate Directors (NACD)
Create a Prioritized Cybersecurity Strategy
https://www.nist.gov/cyberframework
https://learn.cisecurity.org/cis-controls-download
Create a Prioritized Cybersecurity Strategy
1. What is a Cybersecurity Strategy? 2. Pick a Framework and assess your organization (Gap Analysis)
• Center for Internet Security (CIS) Critical Controls • National Institute of Standards & Technology (NIST) • Payment Card Industry Data Security Standard (PCI DSS)
3. Download the framework in a “map - able” form like Excel 4. Or, use online tools (CIS CSAT – free web application) 5. Identify Gaps 6. Prioritize 7. Get some help
Use “mapping” to Document What You Have
CIS Control Group 1, Control 1.2, Asset Type = Device, Security Function = Respond Address Unauthorized Assets Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset
My Tribe leverages a Network Access Control solution to allow/deny network connections in real time via 802.1x. Extensible Authentication Protocol (EAP) Chaining is used to chain user and machine authentications together. This protocol ensures that only corporate users can authenticate to the network using a corporate-issued computer. Users and devices are registered in Active Directory to validate authorized users and device.
from the network, deny the asset from connecting remotely to the network, or quarantine the asset.
Something you are. Something you have. Something you know.
Use Mapping to find the Gaps
CIS Control Group 2, Control 2.7, Asset Type = Application, Security Function = Protect
AllowlistAuthorized Scripts
Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
This is a gap.
Create and apply a group policy to restrict execution of unauthorized PowerShell scripts. https://learn.microsoft.com/en- us/powershell/module/microsoft.powe rshell.core/about/about_execution_po licies?view=powershell-7.2
Prioritize
What does it take to do all the Cyber Things?
Culture
Strategy
Who within your organization is in a position to give you those things?
Energy
Money
Talent
Time
Culture Eats Strategy for Lunch
What They Hear • Password Policy
What They See • The Board shouldn’t have to change their passwords. • The laptop is working, we can’t afford to replace it • I went to [conference] and I want to buy this new system. “Shadow IT” • I want a Pixel • I need to use my thumb drive
• Configuration Standard
• Purchasing Standard
• Enterprise Architecture
• Removable Media Policy [ Block USB (flash) Drives]
THAT is why Cybersecurity is a Board Level Imperative
• Culture starts at the Top • The Board is in the BEST position to align resources • The Board sets the tone with their words and actions • If you can communicate
• Strategy • Rationale • Role of the Board • They will be your ally
Questions?
renita@2nd-derivative.com
11/7/22
1
Cyber Insurance Landscape Delane Big Crow AMERIND Safety Services
2
1
11/7/22
Session objectives
What is the importance of Cyber insurance for tribes?
What has increased the risk tribes face?
What do insurance companies look for?
3
What is the importance of Cyber insurance for tribes? • New Risk Factors Post pandemic
• Success of Tribal Businesses • Lack of training for employees • New Technology
4
2
11/7/22
What has increased the risk tribes face?
• Cyber attacks targeting tribes • Remote work • Employee error
5
What do insurance companies look for?
1. Multi-factor Authentication 2. Data Back-up 3. Network Security and Segmentation
6
3
11/7/22
Questions Delane Big Crow dbigcrow@amerind.com 505-313-9335
7
4
What are the Crown Jewels You Are Protecting? Data and Data Sovereignty Within Tribes
Calandra “Callie” McCool Associate Attorney, Big Fire Law & Policy Group, LLP
Intro
• What types of data do casinos have? • What is at stake if there is a data privacy issue? • What can Tribes do to protect themselves? • What other kinds of data are at risk?
Types of Data in Casinos • What kinds of data may casinos have?
Employee Data
Consumer Data
Personally Identifiable Information
Personally Identifiable Information
Biometrics
Video Surveillance
Financial Information
Financial Information
Background Check Information Lists of “Whales”
Gaming Credentials
Marketing Information
Types of Data in Casinos • What kinds of data are considered “Personally Identifiable Information” or PII? • Under the GDPR (General Data Protection Regulation), it is considered to be “any information relating to an identified or identifiable natural person” including “reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. ” Art. 4, Sec. 1.
Types of Data in Casinos
Examples of Personally Identifiable Information
Legal Names
Dates of Birth
Physical Addresses
Email Addresses
Phone Numbers
Passport/State ID Numbers
Social Security/National ID Numbers
Financial Account Numbers
Geolocation Information
IP Addresses
Types of Data in Casinos • Third-party vendors • Businesses are obligated to ensure that third-party vendors who handle sensitive and confidential information are handling it securely. • Otherwise, the company can potentially be held liable for the damages that flow from a data breach.
Answers • Contract drafting and contract review for all vendors and other external workers who could potentially interact with the Tribe’s cyber network. • Contract Code - Drafting and implementing a robust contract code that provides the Tribe the basis to handle vendor contract disputes. • Data Security Code – Implement a code similar to the GDPR/California Consumer Protection Act, include how to address claims against Tribe for violations.
What is at Risk?
LITIGATION
What is at Risk? TRIBAL
SOVEREIGNTY AND SOVEREIGN IMMUNITY
What is at Risk?
Also, Money.
A lot of money that is essential for Tribal operations and programs.
Potential Legal Liability
• IGRA and NIGC regulations have heightened security requirements.
• For example, if a tribe with Class II gaming is found to be non- compliant, civil fines are possible, not to exceed $52,596 per count, “against a tribe, management contractor, or individual operating Indian gaming”; the amount of the fine for each count is determined by a set of factors outlined in the CFR. 25 C.F.R. § 543.20.
Potential Legal Liability • FTC Act § 5 Compliance • Section five of the Federal Trade Commission Act (FTCA) applies to privacy law in that it addresses unfair and deceptive trade practices. The operating language states that “[u] nfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful. ” 15 U.S.C. § 45 (2012). • This statute has been used to hold companies liable for failing to provide the level of cybersecurity and data protection that they advertised. • 2021: FTC rescinded 2015 policy limiting FTCA enforcement ability.
Potential Legal Liability • Gramm-Leach-Bliley Act Liability • If the gaming operation collects information about consumers for the purposes of extending or arranging a line of credit, the privacy requirements of the Gramm-Leach-Bliley Act are triggered. • While this is not much of an issue with most casino gaming activities, there are possible implications for sportsbooks and sports betting, especially depending on tribal-state agreement terms.
Gold Standard • The GDPR is the European Union’s cybersecurity law that regulates how companies can collect and process consumer data. • The GDPR is already the standard for global commerce. • California has adopted its own, more expansive version called the California Consumer Protection Act • For example, CA residents have the right to access gathered information and delete or opt out of the sale of their information
Gold Standard • Companies that regularly participate in commerce with European countries have already implemented GDPR required security measures in order to continue working with those clients • Earlier this month, President Biden signed an Executive Order outlining the United States’ plan to meet the terms of the new EU- U.S. Data Privacy Framework, a replacement for the EU-U.S. Privacy Shield that was struck down by the Court of Justice of the EU. • While this Executive Order does not fully implement the GDPR personal information standard in the United States, it is only a matter of time until that is the industry standard here as well.
Remember TRIBES HAVE THE POWER! TO LEGISLATE!
What Other Risks? • Depending on how “successful” the attack is, there are risks to the rest of the Tribe’s digital assets, which can leave the Tribe vulnerable in a lot of ways. • Additional legal liability under HIPAA-HITECH • Threat to infrastructure stability • Illegal access to legal, medical, police records, intellectual property, PII of enrolled members • Access to cultural knowledge and resources not meant for public access
More Answers
• Segmenting networks • Data Sovereignty Code – Codify use, control, access requirements for Tribal resources • Tribal or third-party Internal Review Boards (IRBs) • Resource Access Restrictions
• Limitations on Use of Materials • Restriction on Internet Resources
Other Data in Danger • Infrastructure Controls • Statistical Information • Language Resources • Medical Data
• Legal Records • Police Records • Physical Artifacts and Digital Records of Same • Sacred Items • Plant Knowledge/Traditional Medicinal Knowledge • Geological/Mineral Information • Hydrological Information • Sacred Site and Grave Site Locations • Stories and Music • Art • AND MORE
• Medical Samples • Genetic Material
• Plant/Animal Specimens • Genealogy and Enrollment Records • Cultural Resource Materials • Archives including Recorded Audio and Video, Elder Interviews • Copyrights and Trademarks
Additional Threats
• Private Companies Want Native Data • Medicines • Ex. Malarial medications • Seeds/grains • Ex. Basmati RiceTech Lawsuits • Pretendians and Fake Tribes • Access to genealogical information • Human genomic data
Considerations • What concerns does your Tribe have regarding their other data?
• Protection of sacred knowledge, stories, art, other IP • Protection of medical data/research data/genomics • Protection of linguistic and cultural assets
Considerations “I have a rule when quoting elders and traditional leaders in a book. Basically, the story belongs to them, and so I do not want to be the first person to put a story in print. I therefore try to find published account that confirms what an elder has told me and use that version instead of the tradition is related to me by the elder. Thus, there are a considerable number of stories that I could have put into this book that will not appear until the elders themselves authorize them to be published.” Red Earth, White Lies, Vine Deloria Jr. at xv.
Considerations • Each Tribe gets to Decide How Restrictive Each Protection Is Individually • Each Tribe has Different Concerns • Specialized Provisions to Address Specific Concerns Bolster Tribal Data Sovereignty Statutes
Questions?
Calandra “Callie” McCool cmccool@bigfirelaw.com Office: 531.466.8725 Direct: 405.639.9811
PC: TE-5013-1
Tanja Jacobsen, MBA, MS, PMP, CISSP
Speakers
Tanja Jacobsen, MBA, MS, PMP, ACP Marketing & Cyber Security Executive Webroot Cybersecurity Solutions Sales Certified
15+ years of digital and traditional marketing, IT, and project management experience MS in Cybersecurity, Cyber Policy and Risk Management as well as degree in Counter-Intelligence and Cyber Operations
Fortune 1000, SMB, Education
Hofstra and SNHU (Southern New Hampshire University) University Course Developer and Instructor
Volunteer Firemedic, EMT
Average Cost of Cyber Attacks
Cyber attacks are now the number one external risk factor facing businesses according to 23.1% of 39 CNBC CFOs Survey report
It only takes one click to lose millions!
Did you know…
Straight from headlines:
“We regret to inform you, but your financial data might have been stolen.”
A scene straight out of your worst nightmare. It’s something that giant auditing firm Deloitte and a small Connecticut-based accounting firm had to deal with when they were hacked. Data breaches affect firms of all sizes, reiterating that the need for stronger cybersecurity for accounting firms is more real — and pressing — than ever.
Cybersecurity threats by the numbers
Jack Dorsey’s Crypto Organization Suffers an Embarrassing Hack! Financial Data Compromised In 2016, 3B Yahoo accounts were hacked in one of the biggest breaches of all time. (Oath.com) In 2019, First American Financial Corporation leaked 885 million users sensitive records dating back more than 16 years (Upgard.com) In 2019 2/3rds of Facebook app datasets were exposed to the public Internet, over 533 million records (Upgard.com) In 2021 more than 700 million LinkedIn user information was posted for sale on the Dark Web forum (Upgard.com) In 2016, reported that hackers stole the information of over 57M riders and drivers. (Uber) In 2017, 412M user accounts were stolen from Friendfinder’s sites. (LeakedSource) In 2017, 147.9M consumers were affected by the Equifax Breach. (Equifax) According to 2017 statistics, there are over 130 large-scale, targeted breaches in the U.S. per year, and that number is growing by 27 percent per year. (Accenture) 31% of organizations have experienced cyber attacks on operational technology infrastructure. (Cisco) 100,000 groups in at least 150 countries and more than 400,000 machines were infected by the Wannacry virus in 2017, at a total cost of around $4B. (Malware Tech Blog) Attacks involving cryptojacking increased by 8,500% in 2017. (Symantec) In 2017, 5.4B attacks by the WannaCry virus were blocked. (Symantec) In 2017, cyber crime costs accelerated with organizations spending nearly 23 percent more than 2016 — on average about $11.7M . (Accenture) The average cost of a malware attack on a company is $2.4M . (Accenture) The average cost in time of a malware attack is 50 days . (Accenture) From 2016 to 2017 there was an 22.7% increase in cybersecurity costs . (Accenture) The most expensive component of a cyber attack is information loss, which represents 43% of costs. (Accenture) Ransomware damage costs exceed $5B in 2017, 15X the cost in 2015. (CSO Online) Massive data breach hits Capital One, affecting more than 100 million customers (social security numbers, banking information and more exposed!)
How many of you
Connected to the hotel free Wi-Fi?
What is Human Firewall?
People that follow best practices to prevent as well as report any data breaches or suspicious activity
Human Firewall weaknesses
Phishing attacks Shoulder surfing Untrained employees Data Theft/loss Malware
Combating Human Firewall Weaknesses Remain aware of your surroundings when using a VPN When in a public space, find a secluded or discreet area to enter private information into your device Save passwords with a password manager (so you log in to accounts while revealing minimal info) Activate two-factor (aka multi-factor) authentication on any account that prevent others from using your password to access your account Don’t share passwords – ever! Use a privacy screen or transparent screen cover that reduces viewing angles when using your devices in public
How to Avoid being Hacked
Multi-Factor Authentication Get a Password Manager
Learn how to spot a Phishing Attack Update everything (Software, Phone OS..) Encrypt everything Wipe your Digital Footprint
Multi-Factor Authentication (MFA)
Password Management
Best Overall: LastPass. Best for Extra Security Features: Dashlane. Best Multi-Device Platform: LogMeOnce. Best Free Option: Bitwarden. Best for New Users: RememBear. Best for Families: 1Password. Best Enterprise-Level Manager: Keeper.
Don’t store all your passwords…
In your browser (like Google Chrome) Why? If your Google Chrome gets hacked, bad actors get access to ALL your passwords!
Beware of Bogus Invoices!
1. Middle market companies lose on average $300K in invoice fraud annually 2. It happens frequently but people don’t talk about it because its embarrassing 3. Only 1 in 4 finance executives can even estimate how much invoice fraud is costing their businesses 4. Common frauds are illegitimate vendors, invoice spoofing/fake invoices, & intercepting of mailed checks
Beware the ads you click on!
Malvertising = malware Can have
passwords stolen
Files deleted Use your PC resources Render your devices as inoperable
Avoid getting Phished
Did you know
Roughly 7 phishing attacks occur every minutes Deceptive emails Websites Text messages Attackers are adjusting their methods to compromise entire email services Attackers can abuse legitimate contact forms on websites to send emails Fake reply emails such as gift card scams (trick users into thinking they were expecting their emails)
Emails – Phishing Risk 91% of Cyber attacks start with a phishing email…
Top reason people are duped by phishing emails • Curiosity 13.7% • Fear 13.4% • Urgency 13.2% • Reward/recognition, social, entertainment and opportunity
Phishing Samples
Phishing Samples cont’d
Phishing Samples cont’d
Phishing Samples cont’d
Phishing Samples cont’d
Phishing Samples cont’d
Phishing Samples cont’d
Phishing Samples cont’d
Phishing Samples cont’d
Phishing Samples
Latest Google Phishing scam
One way to avoid phishing scams
Reduce risk to phishing by
Always use spam and phishing filters Watch out for grammar errors and strange email addresses Do NOT tap or click on any unknown links or email attachments Rotate passwords regularly Don’t be tempted by pop ups…
Trust but verify…
Malicious emails come from trusted vendors or supplier’s legitimate email address, likely won’t be flagged by a secure email gateway as suspicious Data found that account takeover comprised 2% of malicious emails analyzed
Update everything…
Fix software and applications Patch management Create a more secure environment Experience improved feature/functionality
Patch/Update OS/SW process
Have current inventory of all systems Device a plan Have list of security controls (firewalls, antivirus and vulnerability management tools – run scans…) Compare vulnerability report against inventory to understand security risks Classify (and prioritize) risk Test (apply patches in test environment) Apply patches
Encryption best practices
Never send sensitive information across email Keep your encryption key secure
Have secure storage
Use automation
Access and audit logs
Backups
Have encryption key life cycle management
Caution: Third-party integration Rule of Least Privilege
Terminate of legacy (unused) keys
Zero Trust
Managing your digital footprint
Look yourself up online List down all your accounts
Use privacy settings
Keep things professional Keep your profile up to date
Don’t overshare
Delete unflattering content Check your browser for cookies
Update your software
Use digital tools (anti-tracking tools, privacy search engines or anonymous browsers)
IoT
Cell Phones iPads FitBits or other sports activity devices Medical Devices
Common IoT Cyber Risks
Poor Data Protection Poor Password Protection Unpatched Devices Poor IoT Device Management IoT Skills Gaps
IoT Did you know…
Common IoT types of Cyber Attacks
DDoS Firmware exploits Man-in-the-middle Data interception Physical attacks Brute force attacks Unauthorized access Ransomware Radio frequency jamming
Did you know…
Electric Vehicles could have risk
Digital components = lots of data
Questions
Tanja.Jacobsen@outlook.com www.cinoltd.com (516) 932-0317 x309
Mapping the MICS to the NIST Framework Building a Strong Security Foundation
Indian Gaming Association Cybersecurity Training Thursday, October 20, 2022 9:00 am – 10:30 am
Welcome
Renita DiStefano - MBA, CISSP, CISM, CRISC, CISA, CSOX, CGEIT President & CEO – Second Derivative
Untangling the Myriad of Standards & Regulations
Side by Side – They All Have the Same Elements
https://www.nist.gov/cyberframework
https://learn.cisecurity.org/cis-controls-download
The Good News
• They all have common requirements • They can be “mapped” • Policies, Procedures & Standards are the Foundation of any Information Security & Assurance Program • Don’t Start from Scratch!
• Solve for one, extend to many • Assurance: Make it Audit-Proof
Common Requirements & Mapping: Function : NIST PROTECT (PR) Category : Identity Management, Authentication and Access Control (PR.AC) Description : Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.
Policies, Procedures & Standards are the Foundation of any Information Security & Assurance Program
Establishes the Following:
• Who: Roles & Responsibilities • What: Policy & Standards • Where: Scope • When: Frequency, Timing • Why: Rationale • How: Standard Operating Procedure (technical details)
Don’t Start from Scratch!
Examples of Compensating Controls 1. Privileged Account Management (PAM) System 2. Just-in-Time Access (disabled until requested) 3. Random-generated, complex password assigned at creation 4. Limit the number of connections 5. Limit WHERE the account can authenticate from (ip address) 6. Limit the ability to get an interactive session 7. Limit command line access 8. Limit the ability to change it’s own password 9. Give the process visibility 10. Include IT 11. Secure authentication protocols
Configuration Management
1. Adopt a Standard https://www.cisecurity.org/cis- benchmarks/ 2. Download the CIS Hardened Image 3. Adjust to create your “Golden Image” 4. Operationalize with your build system 5. Cycle the “Golden Image” into Patch Cycle 6. Train, Train, Train 7. Combines Process, Technology and People
CIS Hardened Images® are securely configured according to applicable CIS Benchmarks™.
Why did I pick those two examples?
Assurance: Make it Secure, Make it Audit-Proof
Administrative Control
Control Activity
Outcome
Compliance team member checks the ticketing system to ensure that the privileged account has been properly authorized and that it has the correct privileges and compensating controls. Team member updates the ticket with their results and assigns the ticket to a manager (or above) for closure/follow up. Manager reviews and closes/follows up as appropriate. Potential: identify a gap in an upstream process or a performance opportunity. Systems thinking approach.
Standard Operating Procedure: Authorization of Privileged Accounts
[your tool] will monitor the Active Directory “Domain Admins” organizational unit and send real-time text message and email alerts to [compliance@yourtribe.com] to notify when a privileged account has just been created by [Administrator Name] at [ MM/DD/YY, HH:MM:SS]. Email notification will be sent to [Compliance@yourtribe.com] and [helpdesk@yourtribe.com] which will automatically create a ticket in your support desk software and assign it to [compliance group]. The ticketing system will send an email to compliance@yourtribe.com, which will notify a distribution group that a ticket has been assigned for follow up.
Assurance: Make it Secure, Make it Audit-Proof
Administrative Control
Control Activity
Outcome
Encryption Standard: Laptops will be encrypted
On the first day of each quarter (Jan 1, April 1, July 1, Oct 1) [your tool] will check all laptops (AD Organizational Unit OU) to make sure they are encrypted. A list of laptops that fail the encryption check will be emailed to [helpdesk@yourtribe.com] which will automatically create a ticket in your support desk software and assign it to [administrator’s group]. The ticketing system will send an email to admins@yourtribe.com which will notify a distribution group that a ticket has been assigned for follow up.
Administrators perform follow up and resolve. They update the ticket with their results. Extra: re-run the encryption check until there are zero fails. Potential: identify a gap in an upstream process i.e. deployment process. Systems thinking approach.
Questions?
renita@2nd-derivative.com
Essential Elements of a
Fully Managed Cybersecurity and Compliance Program
About Jeremy • Chief Technology Officer and Partner of Abacode, Inc. , a Tampa, Florida based company that provides managed cybersecurity and compliance programs to businesses across all industries.
• Adjunct professor at the University of South Florida and founder of the USF Whitehatters Computer Security Club. • Taught courses in cryptography & network security, ethical hacking, digital forensics & investigations, and mobile & wireless security. • Have performed research & development of cyber solutions and built cyber services teams for government and commercial customers for 30 years. • Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). • Named 2017 Tampa Bay Technology Leader of the Year.
linkedin.com/JeremyLRasmussen
@jeremycec
Cybersecurity Awareness Month Tip of the Day
What are DMARC, DKIM, and SPF? Important security settings in your Domain Name Service (DNS) record that should be configured to keep phishing attackers from sending emails that appear as if they are coming from your domain. DNS is the Internet service that maps domains names, e.g., yngc.com to 45.79.103.37. If DMARC, DKIM, and SPF are set, then someone from 131.247.100.1 cannot send an email from chief@yngc.com without it being disregarded by mail servers.
Use https://mxtoolbox.com to check yours!
Problem statement
1. BEST PRACTICES. Agencies need to implement controls to protect data and networks, aligned with a best practices framework – e.g., NIST CSF. 2. HIRING. Finding, hiring, and retaining cyber talent has proven difficult. E.g., half of Florida state cyber positions are vacant. 3. EXACERBATING ISSUES. rampant ransomware, nation-state gathering/disruption efforts, rising cyber breach insurance costs and underwriting requirements, etc.
The Three C’s we need to address
External Forces Driving Cybersecurity Compliance Requirements
Clients / Partners
Audit & Attestation Requests
Insurance Underwriters
Industry & Regulatory
States with passed or pending privacy regulation
CUSTOMER
• Prospects and Clients expect a level of data protection • Potential for lost revenue • Contractual obligations • As a provider, you must adhere to standards • Contractual commitment • Industry, state, and federal data protection regulations are increasing across the board Result: Compliance product and Cybersecurity product overload
6
Confidential and proprietary. © Copyright 2022 Abacode. All rights reserved.
Best practices alignment: NIST Cyber Security Framework (CSF) • Identify your critical data & assets (what, where, how, etc.) • Protect your critical data & assets (encryption, multifactor authentication, data loss prevention, etc.) • Detect cyber threats through instrumentation, telemetry, and analysis • Respond to cyber threats in a timely manner to contain & constrain • Recover from incidents by closing the loop on issues and improving for the future
Proposed Solution: Continuous Security & Compliance
Features: • 24/7/365 “eyes on glass” MDR/XDR/EDR/SOAR, threat hunting, and compliance monitoring • Integrated Portal - Compliance & Cybersecurity • Consolidated reporting • Mapped to critical compliance controls • Turnkey program built for flexibility Benefits: • Compliance & cybersecurity integrated into ONE managed program • Continuous cybersecurity & compliance monitoring • Entire team of cybersecurity & compliance experts for a fraction of the cost • Continuous compliance attestation for auditors, prospects, clients, partners, and supply-chain
8
Continuous Cybersecurity and Compliance
Continuous Monitoring: 24/7 SIEM/SOC Services
NIST Cybersecurity Framework Elements: • Detect
• Respond • Recover
10
SIEM / XDR technologies Some examples: • AT&T Cybersecurity USM Anywhere • IBM QRadar • Elasticsearch, Logstash, and Kibana (ELK) • LogRhythm • Stellar Cyber
• Splunk Enterprise Security
Service manager provides either:
1. Fully managed turnkey solution – software licensing, hardware (as required), and labor 2. Co-managed solution – utilizing your existing environment; they provide vSOC monitoring labor
11
Sample SIEM deployment with USM Anywhere
U.S.-Based Security Operation Centers Las Vegas, NV and Tampa, FL
URLS Malware Hashes
Security Stack Solutions: Endpoint Protection Cloud Gateway Security Next-gen Firewalls Email Security Etc.
Domains IP Addresses
AT&T Cybersecurity USM Anywhere
Abacode Compliance Portal
12
Security Events – Log Source Examples
Public Cloud
On-Prem / Security
End Points
SaaS
Continuous monitoring overview
Tier 1: Eyes-on-glass 24/7/365
Tier 2: Escalations
Initial analysis & triage
Recommended actions & response
Tier 3: Advanced Threat Hunting
Tier 2: Active Response
Depends on complexity and potential impact
Managed response actions
14
Deep-dive analysis, threat hunting, active response
Conti Ransomware ATT&CK Signatures: 1. Initial access: phishing, remote desktop exploit, unpatched systems. 2. Execution: Windows command line; API calls 3. Persistence: stolen account creds; external connections (e.g., VPN or Citrix). 4. Privilege escalation: Encrypted DLL injection 5. Defense evasion: encryption; obfuscation 6. Credential Access: Mimikatz or other 7. Discovery: enumerates network connections; retrieves ARP cache 8. Lateral movement: taints network shared drives; spreads via SMB 9. C&C: hard-coded IPs via HTTP. 10. Collection & exfil: 7Zip & WinSCP to cloud. 11. Impact: AES-256-bit encryption 12. Impact: stops 146 Windows services related to security, backups using net stop . 13. Impact: deletes Windows Volume Shadow Copies using vssadmin .
MITRE ATT&CK Framework/ Cyber Kill Chain
15
Abacode’s approach to fully managed Cybersecurity & Compliance
What is Security as a Service? Cybersecurity: Critical Importance of a Strong Security Culture
Amit Sharma Chief Executive Officer BMM Innovation Group
company confidential
Agenda
§ Definitions § The Cyber Challenges § The Risks § Can Security as a Service Help? § Advantages / Disadvantages
company confidential
Definitions Managed Security Services A general term for any security tasks or processes that you outsource to a third-party (e.g., managing user access, operating a SIEM or SOC, etc.)
Security as a Service (SECaaS ) Another term for Managed Security Services
SOC as a Service A Security Operations Center (SOC) is where all security alerts, security incidents, security intrusions, etc., are monitored and triaged. In this case, this would be done by an external third-party.
SIEM as a Service A Security Incident Event Management tool is a piece of software that collects security alerts and events into a central location for faster and improved analysis. Like a SOC, the operation and oversight of a SIEM can be outsourced to a third-party.
company confidential
The Challenges
company confidential
The Business Challenge Today, all organizations, businesses, governments, individuals and any other entity must accept that they can be a target of cybercrime . Cybercriminals evolve their techniques and methods on a daily basis and are sometimes even state-sponsored. How can your organization maintain currency with the latest cyber attack and defense techniques in order to reduce the risks to the organization? How can this be done while still carrying on your core business operations?
Technical Challenge
Timely application of patches, updates, and fixes
Attacks on cloud- based infrastructure, data, or applications
Social engineering attacks like phishing
Ransomware attacks
Can your team stay on top of all of this on their own?
AI-based cyberattack tools
Insider risks
Remote working
company confidential
The Evolution of Cyber Threats and Their Solutions
The People Challenge
People as the cyberattack vector Cybersecurity education for staff keeps coming up as an area of high risk in annual security white papers. Phishing , Vishing (telephone calls), and Smishing (SMS phishing) are all being used by attackers to target your employees daily.
Security staffing
Staff retention Keeping your security knowledgeable staff is challenging in the current job market
The global shortage of qualified security personnel drives a need to look for other options to help
company confidential
Compliance Challenge Security standards and frameworks are evolving and some have added requirements around ensuring you are collecting security information, analyzing that information, monitoring for security events and responding to all of these security data/events.
ISO 27002
PCI-DSS
NIST SP 800-137
company confidential
The Risks
company confidential
The Business Risks
https://www.sec.gov/rules/proposed/2022/33-11038.pdf
company confidential
Financial and Business Implications
• 83% of organizations reported more than one data breach. • Average data breach cost was $4.35 million . • Average cost of a ransomware attack was $4.54 million . • On average, it took 207 days to identify a data breach and 70 more to contain it .
• Stolen account credentials took 327 days on average to identify and contain. • Breaches cost about $1 million more for companies that had a large share of remote employees (80% vs 20%). • 1 in 5 breaches were caused by stolen or compromised logins .
Source: IBM 2022 Cost of a Data Breach Report
company confidential
People Stats Cybercriminals use social engineering in 98% of attacks .
There are 75 times as many phishing websites as malware sites. 75% of companies worldwide were victims of phishing in 2020. With 241,342 successful incidents, phishing was the most common cybercrime in 2020 in the US. A ransomware attack is successful every 11 seconds . In 2019, the cost per compromised record was $150 on average. The US government allocated nearly $19 billion for cybersecurity in 2021.* * https://webtribunal.net/blog/social-engineering-statistics/#gref
How can SECaaS Help?
company confidential
Managed SOC / SIEM Platform Data Loss Prevention Business Continuity / Disaster Recovery Forensic Analysis, Threat Hunting Risk Assesments and simulations Education and Training Incident Response Anti Phising CISO as a Service, vCISO Etc…
Types of Services
company confidential
Business Advantages
COST SAVINGS
LATEST SECURITY TOOLS AND UPDATES
FASTER PROVISIONING AND GREATER AGILITY
FREE UP RESOURCES
EXPERTS IN THE FIELD
company confidential
Risk Management: Security Professional Services Security Management System
Policy / Standard / Process Assistance
Training for Security Staff
24/7/365 Active Monitoring
Assessments, Vulnerability. Penetration Testing
Security Audit Preparation
vCISO
company confidential
A Managed SOC/SIEM service
• Monitors for Indicators of Compromise (IoC) rather than specific security event types this is the most resilient way forward for risk reduction. • Can utilize Artificial Intelligence (AI) to assist with IoC analysis and reduce the response time to security events. • Threat Intelligence analysis can be included. • Ensures your security staff stay security aware 24/7/365 with a SOC that is staffed and operational at all times. • Can pre-process security events to reduce false positives. • A qualified SOC team can provide list of actions for resolving security events. • Reduces in house workload • Provides expert level professionals
company confidential
BIG Cyber Multi-Layered and Multi-Dimensional Security
Security Awareness Security Support
PEOPLE
BIG Cyber Education and Training
ISMS Risk Management Security Management Secure Processes
PROCESS
BIG Cyber Expert Security Consulting Services
IT Infrastructure
TECHNOLOGY
BIG Cyber 24/7/365 Active Monitoring
company confidential
Certifications, Experience, and Expertise Certifications
CISA, CISM, CISSP, CGEIT, PCIP, CIPP/C, ITIL, MCSE, ISO 270001 Master, CRISC, CDPSE, CTT+, CBCP, C|CISO, ISO 27002, ISO 38500, OSCP, CEH, ISO 27005, ISO 27032, and more! Experience Lottery & Gaming, iGaming, Law Enforcement, Health Care, Government, Utilities, Manufacturing, Retail… Security Expertise ISACA Chapter Board Member, Canada Standards Council Committee Member, Cloud Security Alliance Committee Member...
company confidential
Amit Sharma CEO
company confidential
DIGITAL PAYMENT SECURITY
WHAT YOU NEED TO KNOW
PRESENTED BY: MELISSA AARSKAUG & TIGER TAYLOR
✓ Introduction + About Bulletproof
✓ Growth in Cybercrime + Technology
TODAY’S
✓ A Deeper Dive into Digital Payment
AGENDA
✓ How To Address Digital Payment Security Challenges
✓ Key Takeaways/Q&A Session
INTRODUCTION INTRODUCTION
TIGER TAYLOR Account Executive
MELISSA AARSKAUG VP, Business Development
✓ 17+ Years of tribal + gaming experience [Cherokee Tribal Member]
✓ 11+ Years of Cybersecurity Experience
✓ Experience working with tribes, gaming, government, state agencies, + more
✓ Dedicated to serving tribal nations with complex IT, security, + compliance challenges
✓ Committed to helping our clients solve their challenges
✓ Technical experience
ABOUT BULLETPROOF
2+ Global
SOC
STATE-OF-THE-ART
FOOTPRINT
DECADES
EXPERIENCE
BULLETPROOF SERVICES:
Managed Services | Managed Security Services | Cybersecurity Services | Professional Services | Cloud Consulting
BULLETPROOF OFFICE LOCATIONS
HEADQUARTERS FREDERICTON, NB
BULLETPROOF CREDENTIALS
5X
GOLD 11
2021
MISA
IMPACT AWARD WINNER
GLOBAL SECURITY PARTNER OF THE YEAR
PROUD
COMPETENCIES
MEMBER
Global
Microsoft Partner of the Year Winner Security
Awarded for demonstrating excellence in innovation and implementation of customer end-to-end security solutions based on Microsoft technology globally.
THE MARKET: GROWTH IN CYBERCRIME + TECHNOLOGY
• The average data breach takes 277 days to be identified + contained.
• The 2022 average total cost of a data breach is $4.35M USD .
GROWTH IN CYBERCRIME
• Tribes that collect sensitive data & information are prime targets.
• Increased adoption of digital payment consumer drives demand.
• Digital payment is a method consumers can use to make a payment that’s quick, convenient, + safe.
GROWTH IN TECHNOLOGY + DIGITAL PAYMENT
• Payment security market expected to reach $54.1B by 2028.*
• New technology = New risk
• Organizational changes due to COVID + an accelerated digital workforce • Global impact on retaining cybersecurity talent • Shifting from on-premise to hybrid/cloud- only model • Keeping up with security posture management • Increase in cybersecurity insurance premium • Data management & privacy (PII/KYC)
MODERN TRIBAL CYBERSECURITY CHALLENGES
THE RISE OF THE CYBERCRIME GIG ECONOMY
Cybercrime used to be the domain of skilled hackers. This is no longer true.
Ransomware is a Booming Business The average ransomware demand climbed to $200K.
Any device that is connected is a target.
Page 1 Page 2-3 Page 4-5 Page 6-7 Page 8-9 Page 10-11 Page 12-13 Page 14-15 Page 16-17 Page 18-19 Page 20-21 Page 22-23 Page 24 Page 25 Page 26-27 Page 28-29 Page 30-31 Page 32-33 Page 34-35 Page 36-37 Page 38-39 Page 40-41 Page 42-43 Page 44-45 Page 46-47 Page 48-49 Page 50-51 Page 52-53 Page 54-55 Page 56-57 Page 58-59 Page 60-61 Page 62-63 Page 64-65 Page 66-67 Page 68-69 Page 70-71 Page 72-73 Page 74-75 Page 76 Page 77 Page 78 Page 79 Page 80-81 Page 82-83 Page 84-85 Page 86-87 Page 88-89 Page 90-91 Page 92-93 Page 94-95 Page 96-97 Page 98-99 Page 100-101 Page 102-103 Page 104-105 Page 106-107 Page 108-109 Page 110-111 Page 112-113 Page 114-115 Page 116-117 Page 118-119 Page 120-121 Page 122-123 Page 124-125 Page 126-127 Page 128-129 Page 130-131 Page 132-133 Page 134-135 Page 136-137 Page 138-139 Page 140-141 Page 142-143 Page 144-145 Page 146-147 Page 148-149 Page 150-151 Page 152-153 Page 154-155 Page 156-157 Page 158-159 Page 160-161 Page 162-163 Page 164-165 Page 166-167 Page 168-169 Page 170-171 Page 172-173 Page 174-175 Page 176-177 Page 178-179 Page 180-181 Page 182-183 Page 184-185 Page 186-187 Page 188-189 Page 190-191 Page 192-193 Page 194-195 Page 196-197 Page 198-199 Page 200-201 Page 202-203 Page 204-205 Page 206-207 Page 208-209 Page 210-211 Page 212-213 Page 214-215 Page 216-217 Page 218-219 Page 220-221 Page 222-223 Page 224-225 Page 226-227 Page 228-229 Page 230-231 Page 232-233 Page 234-235 Page 236-237 Page 238-239 Page 240-241 Page 242-243 Page 244-245 Page 246-247 Page 248-249 Page 250-251 Page 252-253 Page 254-255 Page 256-257 Page 258-259 Page 260-261 Page 262-263 Page 264-265 Page 266-267 Page 268-269 Page 270-271 Page 272-273 Page 274-275 Page 276-277 Page 278-279 Page 280-281 Page 282-283 Page 284-285 Page 286-287 Page 288-289 Page 290-291 Page 292-293 Page 294-295 Page 296-297 Page 298-299 Page 300-301 Page 302-303 Page 304-305 Page 306-307 Page 308-309 Page 310-311 Page 312-313 Page 314-315 Page 316-317 Page 318-319 Page 320-321 Page 322-323 Page 324-325 Page 326-327 Page 328-329 Page 330-331 Page 332-333 Page 334-335 Page 336-337 Page 338-339 Page 340-341 Page 342-343 Page 344-345 Page 346-347 Page 348-349 Page 350-351 Page 352-353 Page 354-355 Page 356-357 Page 358-359 Page 360-361 Page 362-363 Page 364-365 Page 366-367 Page 368-369 Page 370-371 Page 372-373 Page 374-375 Page 376-377 Page 378-379 Page 380-381 Page 382-383 Page 384-385 Page 386-387 Page 388-389 Page 390-391 Page 392-393Made with FlippingBook - Online catalogs